SlideShare une entreprise Scribd logo

[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

WSO2
WSO2

Modern enterprises are increasingly adopting APIs, exceeding all predictions. With more businesses investing in microservices and the increased consumption of cloud APIs, you need to secure beyond just a handful of well-known APIs. You will need to secure a higher number of internal and external endpoints. Security itself is a broad area and authentication and authorization is a key element in API security. Vendors implement a number of seemingly similar standards and patterns, making it very difficult for consumers to settle on the best option for securing APIs. The sheer number of options can be very confusing. At the same time, technology stack and industry practices are under a rapid transformation, browsers are enforcing different restrictions, new privacy regulations are in place, and more. That makes the authentication and authorization best practices you relied on a few years ago obsolete now. These slides we will discuss: - What is new and what is old in OAuth 2.0 - Mitigate security exploits by understanding the OAuth 2.0 threat landscape - Pick security standards and protocols to match business needs - Federated identities to expand business APIs beyond the corporate firewall - User strong authentication and authorization for API access - Adaptive and risk-based access control for API

Technologie
1  sur  25
Télécharger pour lire hors ligne
Authentication and Authorization Best Practices for Your API in 2021 June 16, 2021 isharak@wso2.com Director of Engineering, IAM @ WSO2 Ishara Karunarathna
2 The Agenda ● High-level API security architecture ● Authentication and authorization for API access ● Implementing authentication and authorization best practices ○ Demo using WSO2 Identity Server
API Security Architecture
25,000-Foot View of API Security Architecture 4
Closer View of API Security Architecture 5
Recommended OAuth 2.0 Flows for API Access 6 Grant Type Web App Native App SPA Services Device Authorization Code X Authorization Code with PKCE X X Client Credentials X X Implicit Flow X* Password Grant X* Device Authorization Grant X JWT and SAML Grant (RFC7523) X OAuth MTLS (RFC8705) X X Token Exchange (RFC8693) X X
Authentication and Authorization for API Access
8 Over 8.4B records exposed during the first quarter of 2020 Whopping 273% increase compared to Q1 2019 Approximately 70% due to unauthorized access to systems or services Due to the COVID-19 pandemic, millions of employees around the world switched to remote working, and many businesses were forced to adopt digitalization within a short time frame. Attackers thrived during this period because companies skipped some of the long-held security practices in the rush to adopt the new normal. 2020 2020 Q1 Data Breach QuickView Report - Risk Based Security
9 IAM should not be the weakest link in the system
End-User Identity Management Digital identities can be everywhere. Managing them is a primary concern. ● Different user Stores ● Different user types ● Different user schemas ● Different user management workflows 10
11 Authentication Verifying that a person is who they say they are.
Authentication ‘Passwords’ are Not Secure! ● Around 60% of people reuse passwords across multiple sites regularly. ● 13% of people use the same password for all accounts and devices. ● 48% of workers use the same password in both their personal and work accounts. ● 80% of data breaches in 2019 were caused by password compromise. Authentication must be a focal point when protecting your APIs. 12
Strong Authentication Authenticating users by challenging them with multiple authentication factors, e.g., password, SMS, and fingerprint. ● Multi-factor authentication (MFA) ⦿ Knowledge ⦾ Something you know ⦾ Password, pin, secret ⦿ Possession ⦾ Something you have ⦾ Phone, token, badge, smart card ⦿ Inherence ⦾ Something you are ⦾ Fingerprint, facial feature, voice
14 User is not static, so is their authentication ● Authentication needs to be more dynamic and responsive ● Context sensitivity is important ● Security is key, but it should be balanced with convenience
Adaptive Authentication ● Provides high security without impacting usability. ● Select the right authentication factors depending on a user’s risk profile and tendencies. 15
Demo time
Federated API Access 17 Attract developer community Acquisitions and mergers Hassle-free API access
Federated API Access 18
Identity Federation 19
Demo time
21 Authorization Verifying whether the user is permitted to access a specific resource or function.
Authorization ● OAuth 2.0 scopes limit an application's access to a user's resources. ● Authorization server-level and resource-level scope validation. Upcoming, ● Rich Authorization Requests (draft) ● Incremental Authorization (draft) 22
Fine-grained Scope Validation Rule and Policy-Based scope validation: ● XACML ● Open Policy Agent (OPA) 23
Question Time! 24
wso2.com Thanks!

Recommandé

Which ap is which business models_ a real-world guide for banks in sri lanka
Which ap is which business models_ a real-world guide for banks in sri lankaWhich ap is which business models_ a real-world guide for banks in sri lanka
Which ap is which business models_ a real-world guide for banks in sri lankaWSO2
 
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...apidays
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays
 
Best Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingBest Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingWSO2
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]WSO2
 
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...WSO2
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
An Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureAn Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureWSO2
 

Recommandé

Which ap is which business models_ a real-world guide for banks in sri lanka
Which ap is which business models_ a real-world guide for banks in sri lankaWhich ap is which business models_ a real-world guide for banks in sri lanka
Which ap is which business models_ a real-world guide for banks in sri lankaWSO2
 
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...APIdays Paris 2019 - API Platform Architecture: What to know before going ope...
APIdays Paris 2019 - API Platform Architecture: What to know before going ope...apidays
 
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...
apidays LIVE New York 2021 - Managing the usage of Asynchronous APIs: What do...apidays
 
Best Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingBest Practices for Productizing APIs with API Management and Automated Testing
Best Practices for Productizing APIs with API Management and Automated TestingWSO2
 
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]
The Best of Both Worlds: Introducing WSO2 API Manager 4.0.0 [ANZ]WSO2
 
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...
[WSO2Con USA 2018] Design and Implementation of the Veridium Authenticator: A...WSO2
 
Identity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsIdentity Hub’s Role in Social Logins
Identity Hub’s Role in Social LoginsWSO2
 
An Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureAn Entry Point to Impactful Open Banking Architecture
An Entry Point to Impactful Open Banking ArchitectureWSO2
 
API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
API Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureAPI Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureWSO2
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyWSO2
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​WSO2
 
WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9WSO2
 
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in SecondsWSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...WSO2
 
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice ArchitectureWSO2
 
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply ChainWSO2
 
Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?WSO2
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays
 
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...WSO2
 
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...WSO2
 
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...apidays
 
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...WSO2
 
[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven World[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven WorldWSO2
 
Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreindragantiSaiHiranma
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock
 

Contenu connexe

Tendances

API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for MicroservicesWSO2
 
API Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureAPI Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureWSO2
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with dockerDocker, Inc.
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyWSO2
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays
 
Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​WSO2
 
WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9WSO2
 
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in SecondsWSO2
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...WSO2
 
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice ArchitectureWSO2
 
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply ChainWSO2
 
Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?WSO2
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays
 
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...WSO2
 
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...WSO2
 
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...apidays
 
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...WSO2
 
[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven World[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven WorldWSO2
 

Tendances (20)

API-first Integration for Microservices
API-first Integration for MicroservicesAPI-first Integration for Microservices
API-first Integration for Microservices
 
API Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architectureAPI Driven Applications - An ecosystem architecture
API Driven Applications - An ecosystem architecture
 
Message based microservices architectures driven with docker
Message based microservices architectures driven with dockerMessage based microservices architectures driven with docker
Message based microservices architectures driven with docker
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital Economy
 
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
apidays LIVE New York 2021 - Simplify Open Policy Agent with Styra DAS by Tim...
 
Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​Identity Federation Patterns with WSO2 Identity Server​
Identity Federation Patterns with WSO2 Identity Server​
 
WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9WSO2 Product Release Webinar - WSO2 API Manager 1.9
WSO2 Product Release Webinar - WSO2 API Manager 1.9
 
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
[apidays LIVE HONK KONG] - OAS to Managed API in Seconds
 
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
[APIdays Singapore 2019] Managing the API lifecycle with Open Source Technolo...
 
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
[WSO2 Integration Summit Singapore 2019] API-driven Microservice Architecture
 
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
[WSO2 Summit Americas 2020] CIAM and Securing the Integrated API Supply Chain
 
Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?Open Banking and PSD2: Are your APIs ready for external testing?
Open Banking and PSD2: Are your APIs ready for external testing?
 
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
apidays LIVE New York 2021 - Microservice Authorization with Open Policy Agen...
 
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
apidays LIVE New York 2021 - API Management from a network Engineer's perspec...
 
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
[WSO2 Integration Summit Singapore 2019] Achieving Predictable Success in Dig...
 
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...Integrating Healthcare Applications with EMR Systems and Databases and Transf...
Integrating Healthcare Applications with EMR Systems and Databases and Transf...
 
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
apidays LIVE Singapore 2021 - A cloud-native approach to open banking in acti...
 
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
WSO2 Open Healthcare Platform - Healthcare Interoperability Targeting the U.S...
 
[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven World[WSO2 Summit Sydney 2019] API-Driven World
[WSO2 Summit Sydney 2019] API-Driven World
 

Similaire à [APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreindragantiSaiHiranma
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingPing Identity
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseForgeRock
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxArchana833240
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...apidays
 
Mobile Solutions and Market Trends
Mobile Solutions and Market TrendsMobile Solutions and Market Trends
Mobile Solutions and Market TrendsForgeRock
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to SolusSolus
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...Sagara Gunathunga
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityCA Technologies
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesBenjamin Canner
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...WSO2
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and GuidelinesWSO2
 
Identity Verification API The Cornerstone of Digital Trust.docx
Identity Verification API The Cornerstone of Digital Trust.docxIdentity Verification API The Cornerstone of Digital Trust.docx
Identity Verification API The Cornerstone of Digital Trust.docxrpacpc
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET Journal
 
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...ijiert bestjournal
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talksLeonard Moustacchis
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationSylvain Maret
 

Similaire à [APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021 (20)

Going beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much moreGoing beyond MFA(Multi-factor authentication)-Future demands much more
Going beyond MFA(Multi-factor authentication)-Future demands much more
 
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User ExperienceForgeRock and Trusona - Simplifying the Multi-factor User Experience
ForgeRock and Trusona - Simplifying the Multi-factor User Experience
 
Catalyst 2015: Patrick Harding
Catalyst 2015: Patrick HardingCatalyst 2015: Patrick Harding
Catalyst 2015: Patrick Harding
 
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 ReleaseThe ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
The ForgeRock Identity Platform Extends CIAM, Fall 2017 Release
 
E-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptxE-Lock AdaptAuth.pptx
E-Lock AdaptAuth.pptx
 
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
APIsecure 2023 - Exploring Advanced API Security Techniques and Technologies,...
 
Mobile Solutions and Market Trends
Mobile Solutions and Market TrendsMobile Solutions and Market Trends
Mobile Solutions and Market Trends
 
Introduction to Solus
Introduction to SolusIntroduction to Solus
Introduction to Solus
 
SolusDeck
SolusDeckSolusDeck
SolusDeck
 
kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...kicking your enterprise security up a notch with adaptive authentication sa...
kicking your enterprise security up a notch with adaptive authentication sa...
 
Mobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App SecurityMobile Payment Security with CA Rapid App Security
Mobile Payment Security with CA Rapid App Security
 
Ping Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial ServicesPing Identity: Corporate Overview Financial Services
Ping Identity: Corporate Overview Financial Services
 
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
[WSO2Con EU 2018] Kicking Your Enterprise Security Up a Notch With Adaptive A...
 
API Security Best Practices and Guidelines
API Security Best Practices and GuidelinesAPI Security Best Practices and Guidelines
API Security Best Practices and Guidelines
 
How To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdfHow To Fix The Most Critical API Security Risks.pdf
How To Fix The Most Critical API Security Risks.pdf
 
Identity Verification API The Cornerstone of Digital Trust.docx
Identity Verification API The Cornerstone of Digital Trust.docxIdentity Verification API The Cornerstone of Digital Trust.docx
Identity Verification API The Cornerstone of Digital Trust.docx
 
IRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure AuthenticationIRJET- Password Management Kit for Secure Authentication
IRJET- Password Management Kit for Secure Authentication
 
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
A MOBILE BASED ANTI-PHISHING AUTHENTICATION SCHEME USING CHALLENGE-RESPONSE A...
 
Intelligent authentication Identity tech talks
Intelligent authentication Identity tech talksIntelligent authentication Identity tech talks
Intelligent authentication Identity tech talks
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 

Plus de WSO2

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessWSO2
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in ChoreoWSO2
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023WSO2
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzureWSO2
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfWSO2
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in MinutesWSO2
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityWSO2
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...WSO2
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfWSO2
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoWSO2
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsWSO2
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital BusinessesWSO2
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)WSO2
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformationWSO2
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesWSO2
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready BankWSO2
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIsWSO2
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native DeploymentWSO2
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”WSO2
 

Plus de WSO2 (20)

Accelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with PlatformlessAccelerating Enterprise Software Engineering with Platformless
Accelerating Enterprise Software Engineering with Platformless
 
How to Create a Service in Choreo
How to Create a Service in ChoreoHow to Create a Service in Choreo
How to Create a Service in Choreo
 
Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023Ballerina Tech Talk - May 2023
Ballerina Tech Talk - May 2023
 
Platform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on AzurePlatform Strategy to Deliver Digital Experiences on Azure
Platform Strategy to Deliver Digital Experiences on Azure
 
GartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdfGartnerITSymSessionSlides.pdf
GartnerITSymSessionSlides.pdf
 
[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes[Webinar] How to Create an API in Minutes
[Webinar] How to Create an API in Minutes
 
Modernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos IdentityModernizing the Student Journey with Ethos Identity
Modernizing the Student Journey with Ethos Identity
 
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
Choreo - Build unique digital experiences on WSO2's platform, secured by Etho...
 
CIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdfCIO Summit Berlin 2022.pptx.pdf
CIO Summit Berlin 2022.pptx.pdf
 
Delivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing ChoreoDelivering New Digital Experiences Fast - Introducing Choreo
Delivering New Digital Experiences Fast - Introducing Choreo
 
Fueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected ProductsFueling the Digital Experience Economy with Connected Products
Fueling the Digital Experience Economy with Connected Products
 
A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses A Reference Methodology for Agile Digital Businesses
A Reference Methodology for Agile Digital Businesses
 
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
Workflows in WSO2 API Manager - WSO2 API Manager Community Call (12/15/2021)
 
Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation Lessons from the pandemic - From a single use case to true transformation
Lessons from the pandemic - From a single use case to true transformation
 
Adding Liveliness to Banking Experiences
Adding Liveliness to Banking ExperiencesAdding Liveliness to Banking Experiences
Adding Liveliness to Banking Experiences
 
Building a Future-ready Bank
Building a Future-ready BankBuilding a Future-ready Bank
Building a Future-ready Bank
 
WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021WSO2 API Manager Community Call - November 2021
WSO2 API Manager Community Call - November 2021
 
[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs[API World ] - Managing Asynchronous APIs
[API World ] - Managing Asynchronous APIs
 
[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment[API World 2021 ] - Understanding Cloud Native Deployment
[API World 2021 ] - Understanding Cloud Native Deployment
 
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
[API Word 2021] - Quantum Duality of “API as a Business and a Technology”
 

Dernier

Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Dernier (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

[APIdays INTERFACE 2021] Authentication and Authorization Best Practices for your API in 2021

  • 1. Authentication and Authorization Best Practices for Your API in 2021 June 16, 2021 isharak@wso2.com Director of Engineering, IAM @ WSO2 Ishara Karunarathna
  • 2. 2 The Agenda ● High-level API security architecture ● Authentication and authorization for API access ● Implementing authentication and authorization best practices ○ Demo using WSO2 Identity Server
  • 4. 25,000-Foot View of API Security Architecture 4
  • 5. Closer View of API Security Architecture 5
  • 6. Recommended OAuth 2.0 Flows for API Access 6 Grant Type Web App Native App SPA Services Device Authorization Code X Authorization Code with PKCE X X Client Credentials X X Implicit Flow X* Password Grant X* Device Authorization Grant X JWT and SAML Grant (RFC7523) X OAuth MTLS (RFC8705) X X Token Exchange (RFC8693) X X
  • 8. 8 Over 8.4B records exposed during the first quarter of 2020 Whopping 273% increase compared to Q1 2019 Approximately 70% due to unauthorized access to systems or services Due to the COVID-19 pandemic, millions of employees around the world switched to remote working, and many businesses were forced to adopt digitalization within a short time frame. Attackers thrived during this period because companies skipped some of the long-held security practices in the rush to adopt the new normal. 2020 2020 Q1 Data Breach QuickView Report - Risk Based Security
  • 9. 9 IAM should not be the weakest link in the system
  • 10. End-User Identity Management Digital identities can be everywhere. Managing them is a primary concern. ● Different user Stores ● Different user types ● Different user schemas ● Different user management workflows 10
  • 11. 11 Authentication Verifying that a person is who they say they are.
  • 12. Authentication ‘Passwords’ are Not Secure! ● Around 60% of people reuse passwords across multiple sites regularly. ● 13% of people use the same password for all accounts and devices. ● 48% of workers use the same password in both their personal and work accounts. ● 80% of data breaches in 2019 were caused by password compromise. Authentication must be a focal point when protecting your APIs. 12
  • 13. Strong Authentication Authenticating users by challenging them with multiple authentication factors, e.g., password, SMS, and fingerprint. ● Multi-factor authentication (MFA) ⦿ Knowledge ⦾ Something you know ⦾ Password, pin, secret ⦿ Possession ⦾ Something you have ⦾ Phone, token, badge, smart card ⦿ Inherence ⦾ Something you are ⦾ Fingerprint, facial feature, voice
  • 14. 14 User is not static, so is their authentication ● Authentication needs to be more dynamic and responsive ● Context sensitivity is important ● Security is key, but it should be balanced with convenience
  • 15. Adaptive Authentication ● Provides high security without impacting usability. ● Select the right authentication factors depending on a user’s risk profile and tendencies. 15
  • 17. Federated API Access 17 Attract developer community Acquisitions and mergers Hassle-free API access
  • 21. 21 Authorization Verifying whether the user is permitted to access a specific resource or function.
  • 22. Authorization ● OAuth 2.0 scopes limit an application's access to a user's resources. ● Authorization server-level and resource-level scope validation. Upcoming, ● Rich Authorization Requests (draft) ● Incremental Authorization (draft) 22
  • 23. Fine-grained Scope Validation Rule and Policy-Based scope validation: ● XACML ● Open Policy Agent (OPA) 23